The longer a threat actor is able to operate unfettered in your environment, the more likely the actor is able to achieve Actions on Objectives, the final stage of the Cyber Kill Chain. For businesses, shorter dwell times mean reduced risk of a data breach, a malware outbreak, or their machines getting ensnared in a botnet or held hostage by ransomware. In turn, this also means lower chances of downtime, regulatory compliance penalties and hefty lawsuits and costs stemming from a cyber incident.


FIGURE 6 - The Cyber Kill Chain and the Cost of an Incident.

The importance of minimizing costs can’t be overstated. This correlation of time and cost is articulated in Ponemon Institute’s “2017 Cost of Data Breach Study: United States” report and depicted in the chart below:

FIGURE 7 - Relationships Between Mean Time to Contain and Average Cost ($M). Source: Ponemon Institute, 2017 Cost of Data Breach Study: United States.

While dwell time has been generally declining year over year, it’s still nowhere near acceptable. Currently measured in days, the average dwell time varies depending on who you ask. Ponemon Institute cites 191 days from the point of detection to the point of remediation while the time from detection to remediation being 66 days. FireEye/Mandiant reported a median Dwell Time of 99 days in their “M-TRENDS®: A View From the Front Lines 2017” report. However, that Dwell Time reflects their narrower definition of initial penetration to detection and alerting, and doesn’t include response and recovery periods.

This is a problem because mid-level threat actors are attacking vulnerable workloads within minutes and only need 4 to 6 days to infiltrate a network and then less than a day to ultimately carry out their main goal of exfiltrating data. Because we know from experience that a threat actor will not stop in their efforts to achieve Actions on Objective until they are actually kicked out of an environment, not counting the time it takes from the point of detection or alerting of the threat to its eradication from the environment underrepresents the period of time a threat actor has to operate.